What is whistleblowing and who can be a whistleblower?
Although the term ‘whistleblower’ is only to become known in many EU countries thanks to a new EU legislation, in the English-speaking world, whistleblowers have been referred to for centuries as persons who report violation of social order, laws, ethical norms or other written or unwritten rules to the competent authorities so that they can put an end to that abuse or fraud. America, in particular, has a long tradition of whistleblowing, which also serves as a guarantee of transparency and fair operation.
In general, whistleblowing may be submitted to a public body or authority, but in the case of breach of ethical standards set out by a certain organization, the report shall only be addressed to the body which is of interest to the abuse concerned. Depending on the country’s legal system, there may be procedures that require the person concerned to report the abuse or fraud directly to the organization in advance.
In this article, we briefly review the background of this legal institution, the main provisions of the Whistleblowing Directive and the current state of its implementation into the legal system of the Member States.
1. The background of whistleblowing
The word is linked to the use of a whistle to alert the public or a crowd about a bad situation, such as the committing of a crime or the breaking of rules during a game. The phrase whistle blower attached itself to law enforcement officials in the 19th century because they used a whistle to alert the public or fellow police. Sports referees, who use a whistle to indicate an illegal or foul play, also were called whistle blowers.
The historical antecedents of modern whistleblower systems lie in the tradition of qui tam actions of the Anglo-Saxon law, which meant that if a citizen caught another citizen in the act while committing a serious breach, he could “sue” him in the name of the state and for his own benefit. The primary reason for the establishment of this legal institution was that the king did not have police officers to enforce the law, so he had to rely on civilians, to whom he paid a bounty in case they won the case.
“Qui tam” is shortened from of the Latin phrase “qui tam pro domino rege quam pro se ipso in hac parte sequitur” that translates to “he who prosecutes for himself as well as for the King.”
The essential element of “qui tam” actions is therefore to reward the civil party involved if proceedings are concluded successfully. The earliest written record of such procedures dates from 695 A.D. and is related to Shabbat. According to Jewish religious law, during Shabbat which begins Friday evening at sunset and ends Saturday evening at sunset, any working activities are prohibited. Anyone who noticed that someone was violating this ban was entitled to half of the fine imposed on that person on the basis of the report. Nowadays, “qui tam” proceedings are most commonly referred to as actions brought under the U.S. False Claims Act.
The legal institution of whistleblowing has the longest history in the USA, and still has the longest tradition and practice of reporting breaches both at official and organizational level. The importance of this legal institution overseas is justified by the fact that, after gaining independence from the British Crown, it became necessary to adopt legislation that protected whistleblowers from retaliation for legitimate acts of whistleblowing. But there are still a number of laws in force that allow anyone who experiences abuse to report it as a whistleblower and, in addition to being entitled to protection, may receive a reward in some cases.
Back in the late 1770s, sailors Samuel Shaw and Richard Marven “reported” their superior, who tortured British soldiers in front of them. After submitting the report, they were immediately disqualified from the navy and criminal proceedings were initiated against them, as a result of which they had to remain in custody waiting for a judgement to be delivered. Still in prison, they wrote a letter to the Congress asking for help – their efforts paid off: in 1778, the Congress passed the first whistleblower act.
Since then, whistleblowing in the United States has progressed to the point where, if someone reports an abuse or fraud to the US Securities and Exchange Commission supported by sufficient evidence, and the proceedings are closed with imposing a fine, the reporter shall be entitled to a certain percentage of the fine. The SEC has already paid more than $1 billion to whistleblowers.
In addition to SEC practice, there are numerous legislation in force in the United States that allow whistleblowers to report abuse or fraud in order to safeguard the public interest.
Legislation supporting whistleblowers at this level is not that widespread in the European Union, however, thanks to the Directive, from 17 December 2021, it will generally be possible in principle to report abuses at organizational level, and in such cases the protection of the whistleblowers shall be granted.
2. The Whistleblower Directive (Directive (EU) 2019/1937)
The protection as set out in the Directive shall apply to all reporting persons working in the private or public sector who acquired information on breaches in a “work- or employment-related” context.
It is easy to see that, breaches, whether in the public or private sector, are most often experienced by those who work there or come into contact with them in the course of their work-related activities.
Workers as whistleblowers
In the course of their work, workers have priority access to information on breaches the reporting of which would be in the public interest, however, they are the ones who may be most affected by retaliation for reporting such information, as they are in a vulnerable position due to the hierarchical relationship. These individuals will primarily report the abuse or fraud they experience if they are confident that their identity will remain confidential and whistleblowing will not cause them detriment.
The Directive therefore provides protection for the widest possible range of workers. The following persons may therefore submit reports through the reporting channels established under the Directive:
- Workers in the traditional sense;
- Civil servants in the public service, municipal employees in any form of employment;
- Other “workers” as defined by the Member States’ rules applicable to employment and contractual relations.
The Directive states that protection should, thus, also be granted to workers in non-standard employment relationships, including part-time workers and fixed-term contract workers, as well as persons with a contract of employment or employment relationship with a temporary agency.
The discovered breach may also be reported by a person whose employment relationship has already been terminated but who is aware of the information obtained during the course of the employment, and may even be reported by a person whose employment has not yet begun but obtained breach-related information during the recruitment procedure or pre-contractual negotiation.
It was realized that in addition to employees, other individuals and organizations with a looser working relationship with the organizations violating the law can also play a key role in exposing and preventing breaches of EU law. They are also subject to the fact that, in the absence of adequate protection, they may also find themselves in an economically vulnerable position when reporting an abuse or fraud, so the Directive extends the scope of whistleblowers to persons who acquired information on breaches in a work-related context, including:
- self-employed entrepreneurs;
- shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members;
- volunteers and unpaid trainees, and
- any persons working under the supervision and direction of contractors, subcontractors and suppliers.
Empirical studies show that the majority of whistleblowers report abuses directly within the organization where they work. However, in addition to employees, those with a contractual relationship with the organization acting unlawfully can easily detect breaches; for example, when it comes to product safety, the suppliers and their employees are most likely to expose unfair and even illegal manufacturing, importing or distributing practices related to unsafe products. Similarly, when it comes to the use of EU funds, for example, consultants are in a privileged position to expose breaches they become aware of.
However, these individuals may also face retaliation in the absence of adequate protection, from the termination of their contract, through the loss of revenue, to reputational damage if they are not provided with an appropriate and secure channel for reporting abuses and no measures are taken to protect the confidentiality of their identities.
Protection provided for facilitators, colleagues or relatives of the reporting person
The level of protection provided for whistleblowers shall also be applied to third parties and entities related to the whistleblower who may also be affected by retaliation, either in relation to their employment relationship or their contractual relationship with the organization involved in the abuse, namely
- facilitators of the reporter – which means natural persons who assist a reporting person in the reporting process in a work-related context, and whose assistance should be confidential;
- third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context, such as colleagues or relatives of the reporting persons; and
- legal entities that the reporting persons own, work for or are otherwise connected with in a work-related context.
3. Violation of the Code of Ethics
Whether on the basis of a legal obligation or on a voluntary basis, an organization may decide to introduce a code of ethics and a specific procedure in case of non-compliance. The rules governing the introduction of such codes of ethics are not as strict as those of AML policies.
The code of ethics should set out the moral, ethical principles and expectations that the organization requires its employees to adhere to in their day-to-day work, both to each other and to outsiders. Some organizations go further in regulating workplace behaviour and incorporate general rules for life outside the workplace into these codes. In recent years, there have been a number of cases where a company has terminated the employment of an employee because he has violated their code of ethics, so it can be said that such soft regulatory tools are playing an increasingly important role in building an organizational culture.
As mentioned above, in addition to the moral requirements, it is strongly recommended to set out the rules of procedure for the organization to receive and investigate whistleblower reports on the violations of the code of ethics.
Some areas that organizations tend to cover in their code of ethics:
- Rules for workplace and managerial behaviour related to the protection of the reputation of the organization.
- Behavioural standards, whether online or in real life; mutual respect, prohibition of discrimination, harassment and exclusion.
- Rules for political involvement and contact with political actors.
- Fair business conduct and anti-corruption practices.
- Conflict of interest.
- Standards for anti-money laundering and fair competition practices.
4. Implementation of Whistleblower Directive into the legal system of the Member States
It follows from the legal nature of directives that regulations, such as the GDPR, are not directly applicable, so that in order to be effective, they must be introduced into national law by all Member States – this is what we call implementation.
Implementation should have been completed in all Member States by 17 December 2021, but there are only 3 Member States where the necessary legislation has actually been adopted: Sweden, Denmark and Portugal.
Legislation has already been implemented in the above Member States to ensure that whistleblowers are adequately protected in the event of reporting breaches of Union law that are harmful to the public interest; in the other Member States, the adoption of the Directive is expected to take place in the first half of 2022.
5. How does a whistleblower software help you?
When a whistleblower submits a report, the receiver organization shall ensure that the reporter’s identity remains confidential and thus no retaliation can be imposed on him or her. If the organization fails to do so for any reason, a fine will be imposed on them under the regulation. In such cases, a fine will be imposed not only under the Whistleblower Directive, but almost certainly under the GDPR as well, as it shall be considered a personal data breach.
In order for the organization to be able to fulfil its legal obligation, it is important that the reports are to be received in a secured, closed system, which can be accessed solely by the authorized person(s) conducting the investigation. It is therefore not a good practice that IT professionals, for example, have access to reports even in principle, as it is not their job to investigate the reports, moreover, they might be the reported ones.
It is therefore essential to ensure the the confidentiality of the identity of the reporting person is protected, which is supported by Whisly, the whistleblower software in several ways:
- allowing anonymous whistleblowing, in which case the organization will not receive any personal data;
- outsourced data processing, which ensures the confidentiality of the whistleblower’s identity even in case of non-anonymous reporting;
- encrypted communication and encrypted data storage;
- ISO 27001 IT infrastructure.
Whisly also provides the opportunity for the investigator to communicate confidentially with the whistleblower through the system after the report has been submitted, and the whistleblower may amend their report directly through the system at any time. Using the software, the investigation can be conducted in a GDPR-compliant way and it can provide additional support to the investigator in the following areas:
- admin interface with an advanced task manager that helps you conduct the investigation as it contains the tasks to be performed;
- autofill templates;
- you can add notes for each task, attach related emails and files, or set reminders;
- sending and receiving messages;
Whislyt, the whistleblower software is specifically designed to provide full support to investigators, even if they do not have the necessary knowledge and experience in investigating whistleblower reports.